[Hackathon] Guillermo Weinmann: bonded_trust — a Sybil-resistant trust root#53
Open
moltpass wants to merge 2 commits into
Open
[Hackathon] Guillermo Weinmann: bonded_trust — a Sybil-resistant trust root#53moltpass wants to merge 2 commits into
moltpass wants to merge 2 commits into
Conversation
…t root Trust layer. The merged/open trust plugins (score_average, EigenTrust-style plugins, agent_receipts) ration influence among identities that already exist; none stops the free minting of identities. The EigenTrust submissions concede it: "if NEST's auth/identity layers fail upstream, no trust layer can save you." bonded_trust relocates the Sybil anchor out of the identity layer and into a SCARCE, LEDGER-BACKED stake. It doesn't beat Douceur (2002) — and takes it seriously: the resource must be genuinely scarce and verified, not self-asserted. - Ledger-backed self-bond: a trust root is pinned at the floor (0.0) until the agent RESERVES a bond through a StakeLedger. A broke Sybil that sends bond:1000000 gets nothing. Total bond is bounded by the scarce supply, so splitting a budget across K identities buys no more influence than one. - Reporter-weighting: reports count in proportion to the reporter's bond; unbonded reporters carry zero weight; self-reports are ignored. Pluggable scarcity anchor (StakeLedger): payments credits (CreditBackedLedger), proof-of-work (ProofOfWorkLedger, sha256), or a consensus grant — all the same interface. SelfDeclaredLedger is the documented insecure default (test only). Adversarial proof: the sybil_bond scenario has 20 Sybils ACTUALLY bid bond:1000000 on empty wallets and cross-endorse, vs 5 credit-funded honest traders. Three validators (no_free_trust, honest_trusted, attempts_rejected) FAIL under score_average, PASS under bonded_trust. Hardened per an adversarial review: unbacked stake -> ledger-enforced; Sybils now attempt bonds (not assumed to abstain); removed weight_cap footgun; ignore self-vouches; reject min_bond=0; scoped the Douceur claim to the injected ledger. Artifacts: trust/bonded_trust.py, trust/stake_ledgers.py, scenarios_builtin/sybil_bond.py + scenarios/sybil_bond.yaml (+ bundled copy), three sybil_bond validators, adversarial + property + PoW tests, 5-seed end-to-end proof + determinism. make ci-local green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds three self-contained tests verifying bonded_trust clears the classic adversarial reputation properties — a self-vouching clique, self-promotion, and a distrusted reporter all fail to move a bonded agent — translated from EigenTrust's pre-trusted-seed anchor to bonded_trust's scarce bond. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
[Hackathon] Guillermo Weinmann: bonded_trust — a Sybil-resistant trust root with a pluggable scarcity anchor
Summary
Stop fake-identity swarms from buying reputation for free. In an agent marketplace a Sybil can spin up 10,000 accounts that vouch for each other and ride the reputation they manufacture.
bonded_trustmakes a trust root cost a scarce resource you can't fake by minting — credits, proof-of-work, or a consensus grant — so free identities stay worthless no matter how many you create. A squirrel doesn't trust another squirrel because it says it has nuts; it trusts the one that actually stashed some.The gap being filled here
The merged/open trust plugins (score_average, EigenTrust-style plugins, agent_receipts) ration influence among identities that already exist; none stops the free minting of identities. The EigenTrust submissions concede the boundary:
NEST's
did_keymints identities for free, so upstream has failed by default.bonded_trustcovers that seam. It does not claim to beat Douceur's Sybil impossibility result (2002) — and it takes Douceur seriously: the resource must be genuinely scarce and verified, not self-asserted. So the plugin never trusts a self-declared bond.Mechanism
StakeLedger. If the agent can't afford it, no bond is recorded. A broke Sybil that sendsbond:1000000gets nothing.The pluggable scarcity anchor (payments · PoW · consensus)
The plugin is agnostic about what makes the bond scarce — that's a
StakeLedgeryou inject. Two ship intrust/stake_ledgers.py:CreditBackedLedger— scarcity = the payments layer's finite credits.ProofOfWorkLedger— scarcity = CPU: each bond unit needs a sha256 proof-of-work, so minting K identities costs K× the hashing. No payments layer, no trusted mint. Deterministic mining keeps traces reproducible.A consensus-gated allocator (quorum grants budget) fits the same interface. The zero-arg default,
SelfDeclaredLedger, grants any bond and is documented as simulation/test-only — mirroringhybrid_x25519'sdeterministic=Falsesecure-default discipline.Why it's materially different from the trust peers
score_average: one-agent-one-vote — the clique promotes itself in O(reports).bonded_trustneeds no pre-trusted set — the anchor is a scarce resource the ledger measures.The adversarial proof (same trace, different trust root)
The
sybil_bondscenario runs 20 Sybils that actually bidbond:1000000on empty wallets and cross-endorse, against 5 credit-funded honest traders. The trust plugin is load-bearing; the observer drives stake/report/score and broadcasts every score.Three validators, all FAIL on the baseline and PASS on bonded_trust:
sybil_bond_no_free_trust— no unbonded Sybil above the floor.sybil_bond_honest_trusted— honest traders rank strictly above Sybils (guards against a degenerate floor-everyone plugin).sybil_bond_attempts_rejected— Sybils bid for bonds and were rejected (proves the defense is enforced, not assumed).Honest boundaries (stated, not implied)
An attacker who spends real credits/work gains real influence; because the score is a bond-weighted mean, a reporter holding a bond majority can dominate a score's sign — that is intended ("most at stake, most say") and costs the whole budget. The guarantee is that influence is bounded by spent scarce resource, independent of identity count. A bonded-but-unendorsed agent scores 0.5 (staked, unproven) — reachable only by spending, never for free.
Artifacts
trust/bonded_trust.py— the plugin (registered astrust: bonded_trust), plus theStakeLedgerinterface andSelfDeclaredLedgerdefault.trust/stake_ledgers.py—CreditBackedLedger+ProofOfWorkLedger.scenarios_builtin/sybil_bond.py+scenarios/sybil_bond.yaml(+ bundled copy).validators.py— the threesybil_bond_*validators.Determinism
Pure integer/float arithmetic over insertion-ordered dicts; PoW mining scans nonces in order. Same seed → identical trace (asserted via sha256). make ci-local green.
🤖 Generated with Claude Code